General Data Protection Regulation (GDPR)

Giving you a clear view on how we use your personal data

Do you always know how your data is being used and protected by the companies you’re giving it to? Many of us don’t. As technology develops and data sharing becomes more common, data protection is becoming more and more important. That’s why new legislation known as GDPR (General Data Protection Regulation) is being enforced on the 25th May. This will replace the existing Data Protection Act. Find out below what exactly this means for you as a customer.

As technology develops and our private data is being used and shared in countless new ways, people are understandably becoming increasingly worried about security.

There are two key reasons why GDPR is being introduced – to bring all EU member states under one common regulation, and to update regulations to reflect our new digital age.

Different countries in the EU follow different rules and regulations when it comes to data sharing and privacy, which can get quite confusing when data is being shared between people and companies in different countries. GDPR will be enforced across all 28 EU member states, meaning everyone is following the same rules!

In the UK, companies are still following the 1998 Data Protection Act to ensure the safety of people’s data. But technology and data sharing has developed a lot since 1998. This means that the current regulation may not be entirely suitable for the needs of consumers and the types of technology we’re seeing today. GDPR will replace the Data Protection Act to better protect our data from breaches and hacks.

When people talk about technology and digital developments, there’s always a focus on data. But what data do they mean? GDPR aims to protect any personal data a company holds about you – including your name, address, email address, images, social networking accounts, IP address or medical history.

It will also cover more sensitive data such as your sexual orientation, your genetics, your political views or any trade union memberships.

Essentially, GDPR will affect everyone in all 28 EU member states, from businesses big and small, to customers and consumers.

When it comes to implementing GDPR, the biggest changes will be seen by businesses rather than consumers – since they’re the ones who will have to adjust the way they handle data to align with the new legislation.

There are hefty penalties for those who don’t comply, including a fine of up to €20 million or 4% of the company’s total profit. Any data breach also needs to be reported to the relevant authorities within 72 hours, and if there’s a risk involved to the data subject (i.e the people the data concerns) they’ll have to inform their customers too.

While businesses will have to make changes to their data policies in preparation for the new regulations, consumers don’t have to do anything in particular to prepare.

That said, individual consumers will probably still notice some changes. You’ll probably find that when you buy products online or sign up to newsletters, there will be more obvious checkboxes relating to how the company can use your data – for example to send you emails, or share data with a third party.

However, GDPR also gives you a number of ‘rights’ when it comes to your data, including:

The right to be informed – you have a right to know how your data will be used by a company.

The right to access your personal data – you can ask any company to share with you the data they have about you!

The right to rectification – this just means you can update your data if it’s inaccurate or if something is missing.

The right to erasure – this means that you have the right to request that a company deletes any personal data they have about you. There are some exceptions, for example, some information can be held by employers and ex-employers for legal reasons.

The right to restrict processing – if you think there’s something wrong with the data being held about you, or you aren’t sure a company is complying to rules, you can restrict any further use of your data until the problem is resolved.

The right to data portability – this means that if you ask, companies will have to share your data with you in a way that can be read digitally – such as a pdf. This makes it easier to share information with other companies, such as your bank details when applying for a loan.

The right to object – you can object to the ways your data is being used. This should make it easier to avoid unwanted marketing communications and spam from third parties.

Rights in relation to automated decision making and profiling – this protects you in cases where decision are being made about you based entirely on automated processes rather than a human input.

Whether or not you exercise your new rights is up to you – the main thing to remember is that they’re there if you need them.

We are committed to protecting our members’ privacy. The credit union requires any information marked as mandatory for membership to either meet legal obligations or to enable us to perform our contract with you. Where you are not able to provide us with this information, we may not be able to open an account for you. Where we request further information about you not required for these reasons, we will ask you for your consent.

For performance of our contract with you

deal with your account(s) or run any other services we provide to you;

consider any applications made by you;

carry out credit checks and to obtain and provide credit references

undertake statistical analysis, to help evaluate the future needs of our members and to help manage our business

To send you statements, new terms & conditions (including changes to this privacy statement), information about changes to the way your account(s) operate and notification of our annual general meeting.

For our legitimate interests

recover any debts owed to us

With your consent

maintain our relationship with you including marketing and market research (if you agree to them)

Sharing your personal information

We will disclose information outside the credit union:

to third parties to help us confirm your identity to comply with money laundering legislation

to credit reference agencies and debt recovery agents who may check the information against other databases – private and public – to which they have access to

to any authorities if compelled to do so by law (e.g. to HM Revenue & Customs to fulfil tax compliance obligations)

to fraud prevention agencies to help prevent crime or where we suspect fraud;

to any persons, including, but not limited to, insurers, who provide a service or benefits to you or for us in connection with your account(s)

To our suppliers in order for them to provide services to us and/or to you on our behalf

to anyone in connection with a reorganisation or merger of the credit union’s business

other parties for marketing purposes (if you agree to this)

Where we send your information

While countries in the European Economic Area all ensure rigorous data protection laws, there are parts of the world that may not be quite so rigorous and do not provide the same quality of legal protection and rights when it comes to your personal information.

The credit union does not directly send information to any country outside of the European Economic Area, however, any party receiving personal data may also process, transfer and share it for the purposes set out above and in limited circumstances this may involve sending your information to countries where data protection laws do not provide the same level of data protection as the UK.

For example, when complying with international tax regulations we may be required to report personal information to the HM Revenue and Customs which may transfer that information to tax authorities in countries where you or a connected person may be tax resident.

Retaining your information

The credit union will need to hold your information for various lengths of time depending on what we use your data for. In many cases we will hold this information for a period of time after you have left the credit union.

To read our policy for retaining members data please contact us at: admin@wyvernsandl.co.uk

Credit rating agencies

In order to process credit applications you make we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. This may affect your ability to get credit.

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail on:

Your rights explained

Right to Access

You have the right to access your personal data and details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data.

The right to rectification

You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.

The right to erasure

In some circumstances you have the right to the erasure of your personal data without undue delay.

Those circumstances include:

the personal data is no longer needed for the purpose it was originally processed

you withdraw consent you previously provided to process the information

you object to the processing under certain rules of data protection law

the processing is for marketing purposes

the personal data was unlawfully processed

However, you may not erase this data where we need it to meet a legal obligation or where it necessary for the establishment, exercise or defence of legal claims.

The right to restrict processing

In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are:

you contest the accuracy of the personal data;

processing is unlawful but you oppose erasure;

we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and

you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data.

We will only otherwise process it:

with your consent;

for the establishment, exercise or defence of legal claims; or

for the protection of the rights of another natural or legal person;

The right to object to processing

You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the data is necessary for the purposes of the legitimate interests pursued by us or by a third party.

If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.

The right to data portability

To the extent that the legal basis for our processing of your personal data is:

consent; or

that the processing is necessary for the performance of our contract with you

You have the right to receive your personal data from us in a commonly used and machine-readable format or instruct us to send this data to another organisation. This right does not apply where it would adversely affect the rights and freedoms of others.

Right to withdraw consent

To the extent that the legal basis for our processing of your personal information is your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

The right to complain to the Information Commissioner’s Office

If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with the Information Commissioner’s Office which is responsible for data protection in the UK. You can contact them by:

Contact us about your rights

For more information about how your rights apply to your membership of the credit union or to make a request under your rights you can contact us admin@wyvernsandl.co.uk or call 01305 268444. We will aim to respond to your request or query within one month or provide an explanation of the reason for our delay.

Contact details of credit union

Compliance Director

Wyvern Credit Union

40 High East Street

Dorchester

Dorset

DT1 1HN

01305 268444

admin@wyvernsandl.co.uk

Changes to this privacy policy

We can update this Privacy Policy at any time and ideally you should check it regularly here www.wyvernsandl.co.uk/GDPR for updates. We won’t alert you for every small change, but if there are any important changes to the Policy or how we use your information we will let you know and where appropriate ask for your consent.

The three main credit reference agencies Callcredit, Equifax and Experian, (also called "credit reference agencies" or "CRAs") each use and share personal data (also called ‘bureau data’) they receive about you and/or your business that is part of or derived from or used in credit activity.